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Abstract— This article proposes private intersection weighted 
sum (PIWS), a scalable, fair, and privacy-preserving intersection 
weighted sum protocol and applies it to voting scenarios. The 
PIWS protocol can privately calculate the intersection of identity 
index sets maintained by each participant and can privately 
calculate the weighted sum of the data associated with the 
identity indexes of the intersection set. After the execution of 
the protocol, both parties can only know the weighted sum, 
but not any additional information, such as any identity index 
or associated data of the other party. The PIWS protocol is 
very suitable for the privacy-preserving weighted voting scenarios 
and has three novel characteristics. First, it does not require as 
many semitrusted tally clerks as other protocols, which greatly 
reduces the deployment, communication, and calculation costs 
involved. It only requires the distributed deployment of voting 
servers and weight servers that are honest but curious. This is 
consistent with the deployment framework of the future big data 
application backgrounds. Second, perfect privacy protection and 
ballot secrecy are achieved. That is, the voting terminal or polling 
station provides encryption services for ballots immediately after 
each ballot is cast. All voting information is then expressed in 
ciphertext throughout the weighting and counting processes, until 
the final result of the weighted vote is passed to the voting server 
in the ciphertext. After decryption, the voting server only knows 
the results of the voting and it has no knowledge of the content 
or preference of the ballots, the privacy of the voters, or even the 
process of counting the votes. This design avoids the disclosure 
of voter privacy and ballot information, and the ciphertext form 
also prevents malicious users from cheating or tampering with 
voter or ballot information during the counting process. To better 
explain the security of our protocol, we present the provable 
security of the protocol under the honest-but-curious model and 
show the formal verification obtained using the Tamarin prover 
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software. Third, our protocol not only achieves the function of an 
optional weighted voting protocol but also is relatively lightweight 
and efficient. The efficiency analysis results of the deployed voting 
system in terms of communication, storage, and calculation show 
that the protocol meets the requirements applicable to real-world 
applications. In summary, PIWS is superior to existing voting 
protocols in terms of function, security, and efficiency, and can 
be harmoniously applied to model updating of federated learning, 
consensus building of blockchain systems, or decision-making in 
artificial intelligence. 


Index Terms—Perfect ballot secrecy, privacy intersection pro- 
tocol, provable security, Tamarin, weighted voting protocol. 


I. INTRODUCTION 


LECTRONIC voting is an activity in which many legal 

voters make collective decisions through the delivery of 
ballots. It specifies the way voters express public opinion and 
is a way to convert public opinion into results. Electronic 
voting can be widely used in model updating of feder- 
ated learning [1], consensus building of blockchain systems 
[2]-[6], or decision-making in artificial intelligence [7]—[9]. 
Most voting systems are based on the idea that the minority 
obeys the majority and usually a proposal or candidate that is 
supported by more than half of the voters wins. However, when 
there are more than two alternatives to choose from, there may 
not be a candidate with more than half of the support. In this 
case, different voting systems may produce different results. 
The voting method and scenario depend on the specific forms 
of votes and rules and the interpretation of the ballot form 
and rules. We use the term “voting rules” to encompass all 
of the possibilities concerning ballots and collective decisions 
concerning specific forms. Voting rules specify in detail the 
form of ballots and the algorithm for calculating the voting 
results. Score-based voting has been proposed to meet vot- 
ing needs in various scenarios and has become a universal, 
flexible, and widely used voting method. Score-based voting 
rules require that the ballot of the voter consists of a score for 
each candidate. The winner is the candidate with the highest 
sum of the scores of all ballots. Score-based voting can be 
divided into five types of voting rules: PLURALITY, RANGE, 
APPROVAL, VETO, and BORDA [10]. 

As an important score-based voting method, weighted vot- 
ing meets practical needs in many scenarios. For example, 
in some specialized agencies of the United Nations, mainly 
in economic, financial, and other fields, weighted voting is 
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used as a decision-making rule in which voting weights 
are allocated according to factors, such as the strengths of 
member states, the amounts of member state responsibilities 
and contributions, and degrees of interest. There are various 
rules and forms of weighted voting. Some distribute weights 
based on economic factors and/or population; some divide 
the voting weight of member states into ordinary voting 
and weighted voting; some distribute weights based on inter- 
est groups belonging to member states. Weighted voting is 
a voting method that is the opposite of one-country-one- 
ballot voting. This type of decision-making system better 
reflects the true power of countries and more truly reflects 
differences in population, economic strength, comprehensive 
national strength, and contributions of the member states to 
the organization. Another example of weighted voting is the 
election of a company’s board of directors. The weight of 
the ballot is usually calculated based on the proportion of 
a company’s shares held by voters. Naturally, the number 
of each voter’s shares becomes the weight of each voter’s 
vote, that is, “one voter, one ballot” becomes “one share, one 
ballot.” 

Whether it is a “one voter, one ballot” election or an election 
conducted according to a weighted voting rule, whether a 
single-winner or multiple-winner voting rule applies, elec- 
tronic voting protocols have the same goal: to provide a 
scheme in which election results truly and accurately reflect 
the wishes of voters. An important way to achieve this goal is 
to ensure the security of voting rules or systems so that they 
can satisfy security requirements, such as voting eligibility, 
uniqueness, privacy, integrity, anonymity, correctness, fairness, 
and verifiability [11], as described in the following. 

Eligibility: Only authorized voters can submit ballots. 

Uniqueness or Prevention of Double Voting: Each voter 
can cast only one ballot and the system has double voting 
detection. 

Ballot Secrecy: Any information about the content of the 
ballot is kept secret from any authoritative agent; even the 
general tendency of a voter’s ballot should never be revealed. 

Integrity: No one can modify or copy any submitted ballot. 

Anonymity: After each ballot is submitted, it must be 
impossible to associate the ballot with its voter. In other words, 
no one can trace the connections between marked ballots and 
voters. 

Correctness: Only verified legitimate votes are counted and 
added to the results; the counting process is correct and robust. 

Fairness: The order of voters completing their votes does 
not affect the final voting result; that is, there is no adaptive 
voting or aborted voting. 

End-to-End Voter Verifiability: Each voter has a reliable 
method by which to verify whether the ballot he or she submits 
is weighted, stored, and counted as specified by the voting 
rules. 

Ballot secrecy and anonymity are two important guarantees 
that voters can express their true wishes. When voters worry 
about their ballots being leaked, they are likely to give up 
their votes or choose votes unfaithful to their inner ideas, 
because of fear of retaliation, extortion, or bribery. In contrast, 
when the voting system does not reveal any information about 
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ballots, voters can voters cast their ballots with confidence. 
As a result, perfect ballot secrecy [12] or complete privacy is 
proposed. That is, other than information that can be inferred 
from the published results, the voting protocol will not disclose 
any information concerning voter identity, ballot tendency, 
or ballot content. 

The complexity of various voting strategies [13] is an active 
topic in research on computing social choices. However, since 
the initial groundbreaking work on the topic [14], there have 
been endless researches on attacks that manipulate voting 
results and undermine the authenticity or fairness of voting 
rules, such as manipulation, control, and bribery of vot- 
ing [15]-[18]. Some recent studies have focused on the evalua- 
tion of attack complexity during the recalculation of votes [19] 
and optimal attack problems in voting, such as the deletion of 
voters [20], election bribery [21], and election control through 
social influence [22]. These attacks pose serious challenges 
to the security of voting protocols. Therefore, to meet the 
above-mentioned security requirements and resist the types 
of attacks described earlier, the ideal solution is that after 
voters cast their ballots, all subsequent processes, including 
ballot checking, weighting, and counting, are processed in 
the ciphertext. Perfect privacy preservation and ballot secrecy 
are guaranteed by encryption algorithms. The system needs 
to reliably complete ciphertext-based counting and provide 
encrypted results that can only be successfully decrypted by 
the result query server. The counting server that maintains 
the weights cannot disclose private voter information or bal- 
lot contents and cannot tamper with the encrypted voting 
results, as they cannot be decrypted. Because the voting server 
only receives encrypted results and does not have access to 
the weighting and counting processes, it cannot know any 
information about the contents of the ballots or private voter 
information. This guarantees perfect voter privacy and ballot 
secrecy. 

Contribution: We propose a privacy-preserving weighted 
voting protocol, private intersection weighted sum (PIWS), 
that ensures perfect ballot secrecy under the honest-and- 
curious security model. We provide security proof and formal 
verification and an analysis of the efficiency of the communi- 
cation, storage, and calculation costs of the deployed protocol. 
A comparison with other research work shows that PIWS 
offers advantages in terms of function, security, and efficiency. 
Our protocol has the following features. 

1) As a secure multiparty computing protocol for 
privacy-preserving calculation of the weighted sum, one 
of the typical applications of the PIWS protocol is 
a voting scenario. In addition to supporting regular 
score-based voting functions, weighted voting, which 
enriches the functions of the existing rule protocols, 
can also be implemented and extended owing to the 
PIWS function. In addition to the voting scenario, the 
PIWS protocol can be used in any scenario with the 
requirements of the privacy-preserving weighted sum 
calculation. 

2) Under the voting protocol, after voters cast their ballots 
at the voting terminal, the ballots can be encrypted into 
ciphertext immediately, so that the ballot contents cannot 
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be monitored or detected by any individual, authority, 
or malicious attacker. The voter’s weight information 
also exists in the form of ciphertext throughout the 
vote-counting process. The weighting process relies on 
the privacy intersection protocol to perform the mul- 
tiplication of the weights and scores of the ballots. 
Voters’ weight information and ballot contents can be 
maintained and protected in a distributed manner, so that 
adversaries cannot know any private information, such 
as voters’ weights or voting tendency. 

Our protocol eliminates impractical security assumptions 
concerning the trustworthiness of the authority center 
and removes multiple semitrusted tally clerks, which 
is a costly deployment method of communication and 
calculation. In the current big data scenario, we assume 
that the cloud service provider is honest but curious 
during the entire life cycle of our protocol, including 
the tallying and checking phases, until the final voting 
results are obtained in the form of ciphertext. The 
ciphertext form prevents ballot tampering by counting 
and query servers and ensures perfect ballot secrecy and 
privacy protection for voters. 

Our protocol is provably secure, and it can be proven to 
be indistinguishable from the simulation of perfect ballot 
secrecy and privacy preservation under the decisional 
Diffie-Hellman (DDH) assumption. Formal verification 
is also provided based on the Tamarin tool. 

Our protocol is deployable and efficient. We deploy 
the PIWS protocol with voting as the actual appli- 
cation to form a weighted voting prototype system 
with 20 K lines of code. The memory and time 
overhead of the system indicate that our protocol is 
efficient (i.e., with security parameters of 8192, only 
47.3 MB and 18.3 s are required for 10 K voters and 
100 candidates) and can be deployed in actual voting 
scenarios. 


3) 


4) 


5) 


The remainder of this article is organized as follows. 
Section II describes related research on voting protocols. 
Section III presents background information on cryptographic 
algorithms and protocols. In Section IV, we describe in detail 
our privacy-preserving PIWS protocol with perfect ballot 
secrecy. The results of the security analysis, including security 
proof under the assumption of DDH and formal verification 
based on the Tamarin tool, are presented in Section V. 
We provide a comparison of our PIWS protocol with pre- 
vious research work and a variety of efficiency evaluations in 
Section VI. Conclusions are presented in Section VII. 


II. PREVIOUS WORK 


The most common approach to designing a privacy- 
preserving voting protocol with perfect ballot secrecy, fairness, 
security, and anonymity is to rely on a trustworthy authority 
to decrypt and tally the votes in a verifiable manner and 
announce the results. However, countless privacy leaks and 
cybersecurity incidents tell us that there is no such thing as 
a fully trustworthy authority in the era of big data. Cloud 
service providers used in casting, checking, or tallying phases 


are often considered honest but curious; that is, they honestly 
perform actions stipulated in the protocol but may collect or 
leak users’ private information. For voting applications with 
high privacy protection requirements, the privacy of voters 
or ballot tendency may be leaked under this security model, 
and perfect ballot secrecy cannot be guaranteed. To ensure 
perfect ballot secrecy and privacy protection of the voting 
scheme without the assumption of a trustworthy authority, 
researchers have used a variety of technologies to design 
numerous electronic voting protocols. 

Early e-voting protocols were based on hybrid networks 
and anonymous channels [23] in which a series of honest 
“mixers” is used in the voting network and the protection of 
voters’ anonymity was achieved through blind selection and 
disconnection of these mixers. Implementation of this type 
of protocol involves huge communication costs and deploy- 
ment difficulties. Electronic voting protocols based on blind 
signatures have been proposed to better cut the connection 
between ballots and voters to achieve anonymity [24], [25]. 
These mainly use blind signatures to verify the eligibility of 
voters and the nonrepudiation of ballots. However, protocols 
based on blind signatures can only implement the APPROVAL 
voting rule. They are not as flexible and diverse as score-based 
voting schemes and are not well suited to meeting the prac- 
tical requirements of weighted voting. Their tallying phase 
is usually completed on the plaintext after the ballots are 
decrypted and published by a trusted authority. To avoid rely- 
ing on a trustworthy authority in the tallying phase, threshold 
cryptography distributes this trust normally among multiple 
semitrust tallying agencies, as with the Helios scheme [26]. 
A voting scheme based on secret sharing was first proposed in 
1987 [27], and election results were verified by all participants 
and even nonparticipating observers. The tallying phase of 
the scheme is based on secret-sharing homomorphisms, which 
allow calculations of secret shared data. Chen et al. [28] pro- 
posed a secure electronic voting system based on the discrete 
logarithm difficulty problem. Although the scheme uses blind 
signatures to ensure the anonymity of votes, a secret sharing 
scheme is used to achieve common decryption between the 
tally center and the supervision center, which reduces the 
risk of cheating by the tally center in the tallying phase. 
Furthermore, voting schemes based on blind signatures and 
secret sharing ensure the anonymity and nonrepudiation of 
voting, but the disclosure of ballot content or tendency and 
the plaintext-based tallying phase are often important ways in 
which voters’ private information is leaked, and many cheating 
behaviors occur in the tallying phase. In addition, some voting 
protocols or systems [29]-[32] improve the reliability and 
fault tolerance of the voting process by using technologies, 
such as lattice, fuzzy, and trapdoor commitment. However, 
these schemes ignore the security proof of the voting process, 
so the security of the process cannot be guaranteed. Therefore, 
in subsequently proposed voting protocols, the protection of 
the entire process, including casting, checking, and tallying, 
is taken into consideration, with the ballots encrypted and 
counted privately according to voting rules stipulated in the 
tallying phase of the protocol. Only credible, fair, and correct 
voting results are ultimately announced, ensuring that perfect 
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ballot secrecy and privacy protection are achieved throughout 
the entire voting process. 

Because homomorphic encryption can achieve aggregation 
of voting results in the ciphertext domain and can complete 
privacy-preserving ballots aggregation, a large number of 
voting protocols based on homomorphic encryption have been 
proposed. Damgard et al. [33] proposed an efficient electronic 
voting protocol based on Paillier, a public-key encryption 
algorithm that supports homomorphic addition. On the basis 
of secret sharing, combined with homomorphic encryption, 
their protocol can achieve a privacy-preserving tallying phase 
without a trustworthy authority. Nair et al. [34] designed a 
majority judgment voting protocol based on secret sharing and 
secure multiparty computation based on homomorphic encryp- 
tion. Although their protocol provides anonymity, it does not 
provide perfect ballot secrecy because it reveals the final 
aggregate score of each candidate. In addition, it is vulnerable 
to forgery cheating attacks because the protocol does not 
consider the detection of illegal ballots. Canard et al. [35] 
proposed a strategy-resistant majority judgment voting scheme 
for privacy protection. The protocol first converts the com- 
plex control flow and branch instructions contained in the 
majority judgment voting rule into a branchless algorithm 
and then uses homomorphic encryption and distributed com- 
puting to implement the privacy-preserving tallying phase 
on a limited set of logic gates. Although the tallying phase 
of this protocol is private and anonymous, the scalability 
and flexibility of the scheme are limited because it is not 
a score-based voting scheme. As a result, it is difficult to 
apply it to other voting rules and weighted voting applica- 
tion scenarios. Dery ef al. [36] designed a score-based voting 
protocol that can implement five voting rules. The protocol 
uses secure multiparty computing based on secret sharing 
and provides perfect ballot secrecy and a method to pre- 
vent cheating. Their scheme completes ballot casting through 
secret sharing and secretly shares the content of ballots 
with multiple semitrusted talliers. Based on the homomor- 
phism of Shamir’s secret sharing, the talliers use the bit 
decomposition protocol [37], a secure multiparty computing 
method based on the garbled arithmetic circuit, to complete 
the privacy-preserving counting of the shared secret in the 
tallying phase. However, voting protocols based on multiple 
semitrusted talliers have high requirements for communication 
and deployment costs. Having too few tellers increases vulner- 
ability to corruption attacks by more than half while having too 
many reduces operational efficiency and increases the cost of 
deployment. 

Another method to eliminate dependence on trustworthy 
authority centers is the self-tallying voting protocol, first 
proposed by Kiayias and Yung [12] and used in the board- 
room voting scenario. The self-counting protocol converts 
tallying into an open process, allowing any voter or third-party 
observer to perform aggregation calculations after all votes 
have been cast. Because anyone can count and verify voting 
results without a third-party assistant, the protocol requires the 
collusion of all other voters to disclose the ballot information 
of a certain voter, which guarantees perfect ballot secrecy to 
the greatest extent possible. The self-tallying voting protocol is 
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dispute-free because any party can check whether a voter has 
complied with the voting protocol correctly. Unfortunately, the 
self-tallying voting protocol has a fairness problem. Because 
the last voter can calculate the result before he casts his ballot, 
he may be able to make decisive voting actions, which raises 
adaptive issues or abortive issues. In response to the two 
general issues of traceability and fairness in the anonymous 
veto protocol, Bag et al. [38] proposed the two-round proto- 
col PriVeto, aiming to ensure privacy and ballot secrecy in 
extreme conspiracy situations through a blockchain consensus 
mechanism. A dual-signature-based electronic voting protocol, 
proposed in [39], satisfies all core security properties of 
electronic voting but still uses trusted institutions to announce 
and tally ballots. To address adaptive and abortive issues in 
the voting process without a trusted center, Yang ef al. [40] 
proposed a distributed network system named distributed SGX 
network system (DSGXNS) that is based on the Intel soft- 
ware guard extensions (SGX). Using the DSGXNS system, 
they produced a secure, publicly verifiable, and self-tallying 
online voting protocol based on the security assumption that 
administrators or malicious adversaries who have obtained 
administrative rights cannot read the data in the SGX enclave. 
Although the protocol addresses the adaptive and abortive 
issues associated with self-tallying voting schemes through 
hardware protection of data, the deployment cost of voting 
systems based on hardware security is relatively high. Similar 
to the self-tallying protocol, many blockchain-based electronic 
voting systems have also been designed [2]-[6], [41]. These 
systems attempt to use a consensus mechanism to achieve 
verifiable self-tallying and ballot announcements. However, 
the processes of block mining and consensus building incur 
considerable computational overhead and time costs, which 
makes the application of such systems in large-scale elections 
challenging. 

In summary, the research to date on the design of 
privacy-preserving voting protocols reveals the following prob- 
lems. First, in terms of voting rules, the above score-based 
voting schemes rarely consider weighted voting scenarios, 
which are common and important. Second, in terms of security, 
although voting protocols based on blind signatures or secret 
sharing technologies can provide anonymity, security issues 
may still exist in terms of perfect ballot secrecy and privacy 
protection in the tallying phase. Although the self-tallying 
voting protocol can eliminate the dependence on a trustworthy 
authority, there may be fairness issues, such as the potential 
for adaptive or abortion voting. Third, in terms of efficiency, 
voting protocols based on secret sharing often require mul- 
tiple semitrusted talliers, resulting in higher communication 
and deployment costs. Voting protocols based on blockchain 
technology may be inefficient because the consensus algorithm 
often takes too long. Tallying based on secure multiparty 
computing is often complicated because of garbled circuits. 

Therefore, under the honest-and-curious model, we propose 
a perfect privacy-preserving voting protocol that is provably 
secure. In addition to supporting regular score-based voting 
rules, our protocol can also implement a weighted voting 
rule, which enriches and expands the functions of existing 
voting rule protocols. In terms of security, it can not only 
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encrypt and protect ballots throughout the processes of casting, 
checking, and tallying to achieve perfect ballot secrecy and 
privacy protection, including weight information, but also 
provide security proof under the honest-and-curious model. 
Through efficiency analysis, the protocol was found to be suf- 
ficiently lightweight to be easily deployed in practical voting 
scenarios. 


II. PRELIMINARIES 
A. Score-Based Voting and Weighted Voting Rules 


1) Score-Based Voting Rule: Suppose there are N voters, 
denoted as V = {V,..., Vy}, and M candidates, denoted 
as C = {C),..., Cm}. We use [N] to represent the identy 
index set of participating voters, that is, set [N] contains the 
identy index of all N voters [N] := {1,..., N}. We use [M] 
to represent the identy index set of participating candidates, 
that is, set [M] contains the identy index of all M candidates 
[M] := {1,..., M}. The ballot score of each candidate Cm is 
recorded as s(m), where m € [M]. Let a constant integer 
K be the number of winning candidates. If K 1, the 
voting rule is a single-winner election; otherwise, the voting 
rule outputs the top K candidates as the winners. During 
the voting process, each voter V,, n € [N], creates a ballot 
Sn t= (S)(1),...,5,(M)), where s,(m) represents the vote 
score of voter V, for candidate Cm. The score is nonnegative 
and uniformly bounded. Then 


N 


s =(s(1),...,5(M)) := S sn 


n=l 


d) 


is the tallying result of the vote, and s(m) is the final score of 
candidate C,,. 

According to different application backgrounds, voters have 
different ballot inputs, which can be roughly divided into 
five types: PLURALITY, RANGE, APPROVAL, VETO, and 
BORDA, as shown in Table I. 

2) Weighted Voting Rules: Suppose there are N voters, 
denoted as V = {Vj,..., Vw}, and each voter has a weight 
W = {w,,...,wy}. There are M candidates, denoted as 
C = {Cj,..., Cy}. The ballot score of each candidate Cm 
is recorded as s(m), where m € [M]. Let a constant integer 
K e [M] be the number of winning candidates. If K = 1, the 
voting rule is a single-winner election; otherwise, the voting 
rule outputs the top K candidates as the winners. During 
the voting process, each voter V,, n € [N], creates a ballot 
Sn t= (5)(1),...,5,(M)), where s,(m) represents the vote 
score of voter n for candidate m. The score is nonnegative 
and uniformly bounded. Then 


N 
s = OO) 3) = > wnt, (2) 


n=! 


is the tallying result of the vote, and s(m) is the final score of 
the candidate Cm. 


B. Private Intersection Sum Protocol 


1) Privacy Set Intersection Protocol: The protocol enables 
two or more parties to privately calculate the intersection 


of their private input sets without revealing anything except 
the intersection elements. Variants of the privacy set inter- 
section (PSI) protocol also allow parties to calculate specific 
functions of the intersection, such as calculating the cardinality 
of the intersection or whether the cardinality of the intersection 
exceeds a certain threshold. The privacy intersection sum 
protocol can be derived from a variant of the privacy set 
intersection protocol. 

2) Private Intersection Sum Protocol [42]: The two parties 
of the protocol maintain two private input sets composed of 
identifiers, and one of the parties maintains a private dataset 
composed of integer values associated with each identifier. 
Through the implementation of the protocol, both parties want 
to know the cardinality of the intersection of two identifier 
sets and the sum of the integer values associated with the 
intersecting identifiers. Neither party wants to disclose more 
information, especially identifiers in the intersection, nor any 
other input information. 


C. Homomorphic Encryption CKKS 


The CKKS algorithm [43] is an approximate computational 
homomorphic encryption algorithm proposed in 2017. One 
of its concrete constructions is based on the BGV scheme, 
and it can also rely on other existing homomorphic schemes. 
CKKS is a limited-level fully homomorphic encryption. Each 
ciphertext corresponds to a depth, and there are L layers in 
total. The maximum level of the modulus scale is Q = qo- p+, 
followed by qo- p’~', qo - p’~*,..., qo. The modulus scale 
essentially consists of L selected prime numbers pj,..., PL 
which are approximations of p, and qo - px is used to denote 
the modulu of the kth layer. Obviously, the lower the level is, 
the smaller the modulus is, and the smaller the upper limit 
of the ciphertext size of this level is. Therefore, a larger- 
scale ciphertext can be adjusted to a shallower level through a 
rescaling operation to reduce the dramatic increase in cipher- 
text size in homomorphic multiplication and the decrease in 
computational efficiency and overflow caused by it. Unlike 
the previously described homomorphic encryption algorithm, 
whose decryption result is scrupulously consistent with the 
plaintext calculation result, the goal of the CKKS algorithm is 
to approximate the calculation of the real number in a practical 
application scenario, and only a portion of the effective digits 
must be retained. Owing to the allowable error and relaxation 
of the accuracy limit, CKKS greatly simplifies the details 
and greatly improves the calculation efficiency in contrast 
to other homomorphic algorithms based on the LWE/RLWE 
problem. In addition, it can be quickly incorporated into the 
implementation of homomorphic encryption libraries, includ- 
ing IBM’s HElib, Microsoft’s SEAL, and the most compre- 
hensive universal password library PALISADE. Focusing on 
its improvement upon the previous bootstrapping result to 
achieve efficiency optimization, Chen et al. [44] adopted a 
smart level-collapsing technique for evaluating the DFT-like 
linear transforms on the ciphertext, and replaced the Taylor 
approximation of the sine function with a more accurate and 
numerically stable Chebyshev approximation. As a result, the 
amortized bootstrapping time was improved and the problem 
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TABLE I 
VOTING RULES BASED ON SCORES 


Voting rule Ballot format 


Ballot meaning Goal of voting 


PLURALITY Sn E {e1,...,en} Support 1 from M Most supporters 
RANGE Sn € {0,1,..., LYM Score M candidates Highest score 
APPROVAL Sn € {0, i’ Support K from M Most supporters 
VETO Sn © {é1,...,éns} Veto 1 from M Least opponents 
BORDA Sn € {(x(0),...,7(M — 1)): 7 € TI} Sort M candidates Top ranking 


of plaintext or ciphertext growth was addressed. Recently, 
Li and Micciancio [45] implemented passive attacks against 
CKKS, demonstrating complete key recovery with high prob- 
ability and very modest running times. To address passive 
attacks, they also provided a solid theoretical basis for the 
security evaluation of homomorphic encryption on approxi- 
mate numbers and discussed possible modifications to CKKS, 
which may serve as a countermeasure to passive attacks. 
Accordingly, the latest developmental versions of HElib, SEAI, 
and PALISADE were tested and it was confirmed that the 
passive attack was no longer effective against them. The 
vote-counting process in score-based voting can essentially be 
regarded as a secure multiparty calculation problem. CKKS is 
one of the important approximate homomorphic encryption 
algorithms in the SEAL library, which is widely used to 
constitute privacy machine learning and federated computing. 
It is also an important component of a secure multiparty 
computing protocol. Because of its efficiency, continuously 
updated ecology, and capacity for floating-point ciphertext- 
based calculations, CKKS is suitable for constructing the 
PIWS protocol. 

CKKS consists of the following seven components: setup, 
key generation, encryption, decryption, addition, multiplica- 
tion, and rescaling. 


1) Setup: Assume that the security parameter is /, the 
upper limit of the depth is L, and N is a power of 2. 
A base p > 0 and a special modulus P for rescaling are 
selected. Let Q = qo: p’, so that N and P - Q satisfy the 
security level 2. Choose a distribution related to the private 
key xs, an error distribution ye, and a random distribution for 
encryption y,. For the convenience of description, q is used 
to represent the modulus of any layer in the following and 
satisfies g|Q. 


2) Key Generation: Initialize s <— y;, a < Ro, e < Xe, 
set the private key sk < (1, s), and calculate the public key 
pk < (b,a) € RÌ, here b = —a-s + e mod Q. Initialize 
a’ <— Rop, e <— Xe, and set the auxiliary calculation key 
(evaluation key) evk < (b', a’) € Rbo used for homomorphic 
multiplication, where b’ = —a’-s + e’+P -s* mod P - Q. 


3) Encryption: Generate r <— y, and eo, e1 < Xe, output a 
ciphertext c < r - pk + (m + eo, e1) mod Q for the plaintext 
polynomial m € R. 


4) Decryption: Input the ciphertext c € R? and private key 
sk, and calculate (c, sk) mod q = co + cı - s mod q. For a 
one-time encrypted ciphertext, the correctness verification is 
shown in 3. When —e -r + eọ + e1 - s is sufficiently small 


compared with Q, the decryption error is negligible 


m' = (c, sk) mod Q 
= ((b-r+m +e, a-r +e), (1, s)) mod Q 
= ((—a-s+e)-r+m+eo)+(a-r-s+e-s)mod Q 
= —e:-r +m + e+e -s mod Q X m. (3) 


5) Addition: For two ciphertexts c, c’ € R, output Cada <— 
c+ c mod q, Cada € R: Obviously, the decryption error after 
homomorphic addition is the sum of the decryption errors of 
the two ciphertexts. 

6) Multiplication: This is divided into plaintext multiplied 
by ciphertext and ciphertext multiplied by ciphertext. When 
the plaintext is multiplied by the ciphertext, that is, input 
ciphertext c € R? and plaintext m € R4, and output Cmut <— 
m c mod q, Cmut € Ri. Obviously, the decryption error is 
m times the decryption c error, which can be ignored. When 
the ciphertext is multiplied by the ciphertext, that is, input 
ciphertext c,c’ € Ri: calculate (do, d1, d2) = (CoC'o, coc’) + 
cic’, c1c'1) mod q, and output Cmut < (do, di) + LP! - d- 
evk + 1/2] mod q, Cmut € Ro The correctness verification of 
decryption after homomorphic multiplication can be seen in 4 
and 5 


Dec(c) - Dec(c’) mod q 
=cotc,:-s)-(c'o + c'i + s) mod q 
= co - c'o + (co + c'i + c'o- c1) -s + ci c'i + s? mod q 
= dy + dıs + dys” mod q (4) 
(P! . d - evk, sk) mod q 
P~'dyb! + (P~! dha") - s mod q 
= (P™!d(—a's + e' + Ps? mod PQ) 
+ (P~! dza's)) mod q = (s”)dy + (P7! dze") mod q 


x s? -da mod q (5) 
where dọ = co: c'o mod q, di = (coc'i + c'o - c1) mod q, 
and d) = cı - c'i mod q. The decryption of the ciphertext 


after homomorphic multiplication is approximately equal to 
the multiplication of plaintexts. 

7) Rescaling: Rescaling aims to solve the problems of 
ciphertext scale and homomorphic calculation error expansion. 
Input the ciphertext c € R? and the new modulus q’ < q and 
obtain the output c.s <— |(q'/4)- c + 1/2] mod q’, Crs € R, 
where the new modulus q’ is the modulus of the lower level 
of ciphertext, and (q'/q) in fact is 1/p;. The ciphertext is 
converted from a higher level to a lower level, and the scale 


and error are reduced by p; times. 
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Party1 


Generate k, 
Generate (pk,,sk,) 
Voter ID:U, 

Voter Weight :W 


Round 1 Shuffle {RO(u,)* > CKKS(w,, Pky )} ign) 


Setup 


Party2 


Generate k, 
Generate (pk,,sk,) 
Voter ID:U, 

Voter Score: S 


Shuffle ROU)" yian) 
> 
Shuffle {ROU } in) 
— Compute {ROU Jan] 
Round 2 { : Shuffle {ROV ,)" ,CKKS(s,, Pky} jgn) Shuffle({RO(,)" ,CKKS(s,, pka) qn) 
Compute {ROWv,)"" ,CKKS(s,, pk,)} aa 
Round 3 l 


Recombine{RO(u,)"® ,CKKS(w,, pk, Vicin 
Compute Intersection I 
Compute: >» CKKS(w,, pk,):CKKS(s., pk,) 


cel 


CKKS(}\w,s,, pk,) = >) CKKS(w,, pk,)-CKKS(s,, pk,) 
ce] cel 


» Decrypt CKKS > WS Pk) 


Fig. 1. Process of PIWS protocol. 


D. Decisional Diffie-Hellman Assumption 


Assuming that there is a group family G(A) for a security 
parameter 4, for a probabilistic adversary M, the advantage 
Adv of M winning a game in polynomial time is defined as 


Adv = | Pr[M (4, g, 9, g, 9”) = 1] 
— Pr[M(A, g, 8°, 8°, 8°) = 1]|— 1/2. ©) 


Group G is randomly selected from G(A), where g is 
the generator of G and parameters [a,b,c € [1,|G|] are 
randomly selected. If there is a negligible function ¢ that 
makes the upper bound of the adversary M winning the 
game is ¢(A), then group G can be considered to satisfy 
the DDH assumption for any probabilistic adversary M. Intu- 
itively speaking, the DDH assumption indicates that distrib- 
utions (g, g“, g°, g°) and (g, ¢%, g”, g@”) are computationally 
indistinguishable. 


IV. PRIVACY-PRESERVING INTERSECTION 
WEIGHTED SUM PROTOCOL 


To realize weighted voting rules, we designed the PIWS pro- 
tocol, which can be used to implement the privacy-preserving 
intersection weighted sum calculation. To be specific, after 
the identity-identifier sets of both parties intersect, the corre- 
sponding data are multiplied by each other, which is called 
the weighting process. The sum of the weighted data corre- 
sponding to the intersection elements is the output. We apply 
our PIWS protocol to the weighted voting application scenario 
and introduce the execution process of the PIWS in detail. 
There are two participants, one containing the voters’ identity 
identifiers and voting ballots, and the other containing the 


cel 
output X w,s, 


cel 


voters’ identity identifiers and weights. The process of finding 
intersections can be seen as a process of screening eligible 
voters and avoiding duplicates or illegal ballots. Under the 
honest but curious security model, the protocol finally calcu- 
lates and announces the number of legal voters participating 
in the tallying and the total weighted voting score of all 
candidates. Except for the output specified in the protocol, the 
participating parties shall not disclose any other information, 
nor can they learn any other information from the opposite 
party. The protocol includes setup, three rounds of interaction, 
and output. A detailed description of our PIWS protocol is 
shown in Fig. 1. 


A. Setup 


Both parties of the protocol negotiate security parameters 
and group G € G(J), and the user identity space U = U (4). 
Both parties can access the random oracle RO: U — G, and 
the user identifier is randomly mapped to the elements of group 
G. Party 1 maintains the set of identifiers U; = {uj }icim of m 
users, where u; € U, and the voting weights W = {wy}jefm) of 
m users, where weight w; is nonnegative and bounded. Party 
2 maintains a set of identifiers Uz = {uj} jeln] of n users, 
where u; € U, and ballots of n users, where the score of 
ballots is defined as s; := (s;(1), ...,s;(C)). [C] represents 
the set of candidates, s;(c),c € [C] represents the score that 
voter uj has scored for candidate c, and the score s;(c) is 
nonnegative and bounded. w;, sj, and dX wis j Meet the input 
space of the CKKS encryption algorithm under the security 
parameters 2. Both parties in the protocol randomly select 
fresh temporary private keys kı and kz in group G, generate 
the CKKS encryption algorithm public and private key pairs 
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(pki, sk,) and (pko, skz) for Party 1 and Party 2, and exchange 
the public keys of both parties. 


B. Round 1 


For each element u; € U;, Party 1 computes random map 
RO(u;) and uses temporary private key kı to perform a single 
encryption RO(u;)"'. Then, weight value w; corresponding 
to identifier u; is encrypted by Party 2’s CKKS public key 
pkz, thus computing CKKS(w;, pk2). Party 1 disrupts the 
order of encrypted identifiers and weights, saves the corre- 
sponding relationship between them to the local, and sends 
Shuffle{RO(u;)"' Jiem] to Party 2. 


C. Round 2 


After receiving Round | message, Party 2 uses its tem- 
porary private key ky to orderly encrypt each RO(u;)*', thus 
computing Shuffle{RO(u;)"”} icim] and returning it to Party 1. 
In addition, for each element v; € U2, Party 2 computes the 
random map RO(v;) and uses the temporary private key kz to 
perform a single encryption RO;)®. Then, the ballot score 
sj corresponding to the identifier v; is encrypted by Party 2’s 
CKKS public key pk2, thus computing CKKS(s;, pk2). Party 
2 disrupts the order of encrypted identifiers and scores and 
sents Shuffle({RO(v;)”, CKKS(s;, Pk2)} jet] to Party 1. 


D. Round 3 


After receiving Round 2 message, Party 1 uses its temporary 
private key kı to encrypt the first half item of each message 
RO(@;)} twice and obtains {RO(v;)@',CKKS(s;, pk2)}. 
Then, according to the corresponding relationship retained 
locally in Round 1, the message Shuffle{RO(uj)*"” Jem] 


received in Round 2 and the weight information 
CKKS(w;, pk2) encrypted by CKKS are reorganized 
to generate Shuffle{RO(u;)¥® , CKKS(w;, Pko)}icim] 


correspondingly. Then, Party 1 calculates the intersection 
according to the first item of set {RO(v;)"', CKKS(s;, pk2)} 
and = {RO(u;)"'"?, CKKS(w;, Pa) ici and obtains the 
intersection 7, where J = {c : RO(v,)*"! € {RO u; Yem} 
After multiplying the encrypted weight and the encrypted 
score corresponding to the identifier element of intersection 
I, the products are summed to obtain the final weighted 
score ciphertext $ e; (CKKS(we, pk2) - CKKS (se, pk2)). 
According to the homomorphism of the CKKS algorithm, 
it can be known that 


> (CKKS (wc, pk2) - CKKS(s,, pk2)) 
cel 
= s ))CKKS(wes¢, pk2). (7) 


cel 


Then, Party 1 sends X. e; CKKS(wes¢, pk2) to Party 2. 


cel 


E. Output 

After receiving Round 3 message, Party 2 decrypts 
bee 7 CKKS (wese, pk2) with its CKKS private key sk2, and 
obtains ` er Wese, which is the weighted voting score of all 
legitimate voters participating in the voting. 
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During the actual deployment and execution of the PIWS 
protocol, other voting rules can be implemented in par- 
allel trivially. The protocol can implement other optional 
score-based voting rules by fine-tuning the format of the ballot, 
that is, adjusting the ballot score according to Table I. For 
example, if the ballot scoring is adjusted to the ranking of 
C candidates, the BORDA voting rule can be implemented. 
If the ballot scoring is adjusted to a veto ballot format for 
C candidates, the VETO voting rule can be implemented. 
These fine-tunings are trivial and efficient. You only need to 
adjust the format of the ballot in the vote-casting phase and 
the subsequent protocol execution process will not have any 
impact, so the requirements of a variety of voting scenarios 
can be met flexibly. 


V. SECURITY ANALYSIS OF PIWS 


In the application scenario of the big data era, cloud service 
providers provide honest and reliable operations and services 
to users but may be curious about the identity or private 
data of the massive number of users. A large number of 
private information leakage incidents indicate that cloud ser- 
vice providers may betray users’ private information under the 
trend of interest. Corresponding to the deployment of voting 
protocols, servers that provide ballot casting, checking, and 
tallying will provide reliable storage, delivery, and computing 
services for voters but remain curious about voters’ privacy or 
ballot information. Due to the sensitivity of voting activities, 
the leakage of information, such as voters’ identities or ballot 
preferences will affect the credibility and authenticity of vot- 
ing activities, resulting in abandoning voting, bribery voting, 
or retaliatory voting, which are contrary to voters’ hearts. As a 
result, the anonymity, privacy protection, and perfect ballot 
secrecy of voting protocols will directly affect the credibility 
and fairness of voting rules. Specifically, in weighted vot- 
ing applications, in addition to voters’ identity information 
and ballot preferences, voters’ weight information may also 
become an important source of privacy leakage. Therefore, 
security proof of the protocol is very highly necessary and 
important. 

This section describes the proof of the security of our 
PIWS protocol in an honest but curious model, in which 
participants honestly follow the steps of the protocol but try 
to extract as much additional information as possible from the 
implementation of the protocol. It can be seen from the proof 
that except for the output weighted voting result specified in 
the protocol, the participating parties shall not disclose any 
other information, nor can they learn any other information 
about the opposite party, including the identity identifiers or 
weights of voters, or the scores or even preferences of the 
ballots. 


A. Security Proof 


We complete the security proof by introducing a simulator 
of our PIWS protocol that can honestly simulate each par- 
ticipant of the protocol. From the view of each participant, 
the simulator can only know the results disclosed by the 
protocol and the information it originally maintained, but 
it cannot know any information about other participants. 
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In the proof process, the view of the protocol participant 
includes the internal state of the participant (including main- 
tained data and input owned and the random values gen- 
erated) and all messages received in the protocol interac- 
tion. Intuitively speaking, after the implementation of the 
protocol, any party cannot know any additional information 
except for the output disclosed by the protocol. Therefore, 
let PIWS?“ ({(u;, Wi) bietmp (Oj; Si)} etn) represent the view 
of the participation Party p, and let SIM, denote that the 
simulator simulates the view of the honest participant Party 
p in the protocol implementation. The simulator algorithm is 
given in detail in the following proof process. The following 
needs to prove that the view of the actual implementation 
of the protocol participants is indistinguishable from the 
view of the honest and secure simulator, which is stated in 
Theorem 1. 

Theorem 1: The participant Party 1 of the PIWS protocol 
is secure under the RO model with honest but curious central 
authority if and only if there is a polynomial time simulator 
SIM, for the security parameter 1, given inputs {(u;, w;)} 


and LOS enp there is 


PIWS!” ({(ui, Whe (Oj S} jetmp 
xX SIM: (14, {(ui, Wi) bietmy> n, 71) (8) 


ie[m] 


where n is the number of all ballots that the voting server 
received from the voting station, which indicates the number of 
voters who participated in the vote. Obviously, this is publicly 
available data. J is the intersection in the protocol, which 
represents valid voters participating in the final tallying phase 
of weighted voting. |Z| is the cardinality of the intersection 
set, and represents the number of valid voters participating in 
the final tallying phase. 


Proof: First, we give the definition of Algorithm SIM). 

Algorithm SIM) (A, {wi}ietmj, 7, |Z|) shows that the essential 
difference between the simulator SIM, and the actual execu- 
tion of Party 1 PIWS!” lies in the message replacement of 
Round 2. Specifically, the message {RO(u;)*"?} sent in the 
actual execution of the protocol is replaced by the message 
{gi} sent by the simulator SIM, in step 3, and the message 
{RO(v;)”} sent in the actual execution of the protocol is 
replaced by the message {h;} sent by the simulation SIM, in 
step 4. Obviously, this replacement does not change the cardi- 
nality of the intersection, and the result of the weighted sum is 
0. Next, based on the idea of security reduction, we prove that 
the distributions of two adjacent games are computationally 
indistinguishable. The initial Game 0 is defined as the game 
in which Party 1 actually executes the protocol. 

1) Game l: All processes of Game 1 are equivalent to 
Game 0, except that the actual ballot scores are replaced 
by freshly encrypted 0. That is, replace CKKS(s;, pk2) with 
CKKS(0, pk2) in Round 2. The indistinguishability of the 
distribution of Game 0 and the distribution of Game 1 is 
guaranteed by the CPA security of the CKKS encryption 
algorithm. 

2) Game 2: All processes of Game 2 are 
equivalent to Game 1, except for all i e [m — 
||]. (ROU). ettu) is replaced by 


jet 


Algorithm SIM, Simulator Algorithm of the PIWS Pro- 

tocol From View of Party 1 
Input: (4, {Ui} icmp, |Z) 
Output: SIM; View(P;), where Pı represents Party 1 
Step 1. Generate private key kı € G, generate CKKS 
public and private key pair (pk), sk); 
Step 2. Calculate and send Shuffle{RO(u;)™ Jem] 
according to the protocol Round 1 honestly; 
Step 3. Generate a virtual set U; = {Sitictm, among 
which g; is randomly selected in group G, and returns 
fei em to Party | as the first message of Round 2; 
Step 4. Generate a virtual dataset U> = {hj} jela where 
h; = g; for j € [1, |Z|], and the other h; for j € [|Z|], m] 
are randomly selected in group G; 
Step 5. Return the shuffled messages 
{(h j, CKKS(0, Pk2))} etn] as Round 2’s second message 
to Party 1, in which each of CKKS(0, pk2) is freshly 
encrypted; 
Step 6. After receiving the message of steps 4 and 5, the 
simulator honestly calculates and generates the message 
in Round 3 according to the protocol; 
Step 7. Honestly output the view of Party 1’s actual 
protocol implementation. 


(8; hettu en in the first massage of round 2, 
where set {lti hiem O}; ejn) represents the complementary 
set of intersection J in the set {u;};¢j,;, and g; is an element 
randomly generated in group G. The distributions of Game 
2 and Game | are computationally indistinguishable, which is 
guaranteed by the DDH assumption. We introduce Lemma 1 
to prove that the distributions of Game 2 and Game 1 are 
computationally indistinguishable. 


3) Game 3: All processes of 
equivalent to Game 2, except for all j € 
{RO(W;)" I jelol im \ ilem] 18 TePlaced by {hi} etto) Nte] 
in the second massage of Round 2, where set 
{o;} jeja) Mi hiet] represents the complementary set of 
intersection J in the set {v;} jela} and hj is an element 
randomly generated in group G. Similarly, the distributions of 
Game 3 and Game 2 are computationally indistinguishable, 
which is guaranteed by the DDH assumption. The proof can 
be observed in Lemma 1. 


Game 3 are 
In — |Z|]. 


4) Game 4: All processes of Game 4 are equivalent to 
Game 3, except for k e [|Z|], replace {ROC req 
with (ek hen in the first massage of round 2, replace 
{RO 0)" helr with {8k}kemzy in the second massage of 
Round 2, where {(ux)}kenzy and {@x)}kenzy represent the 
elements of intersection 7, and {(Wx)}reqjny = (Ox) beet 
{Skheetj) is an element randomly generated in group G. 
Similarly, the distributions of Game 4 and Game 3 are 
computationally indistinguishable, which is guaranteed by 
the DDH assumption. The proof can be observed in 
Lemma 1. 


5) Game 5: Output Party 1’s view of protocol execution 
through the simulator SIM). 
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The computational indistinguishability between Game 2 and 
Game 1, Game 3 and Game 2, and Game 4 and Game 3 is 
based on the DDH assumption. We use Lemma 1 to prove 
the indistinguishability of Game 2 and Game 1, and the 
corresponding proofs of indistinguishability between Game 3 
and Game2, Game 4, and Game 3 can be obtained in the same 
way. 

Lemma 1: The distribution of Game 2 and Game 1 are 
computationally indistinguishable under the DDH assumption. 

Proof: The only difference between Game 2 and Game 1 
is that for all i € [m — |I], (ROU) } etue) 
is replaced by E lea j in the first massage of 
round 2, where set lehien UO rami represents the comple- 
mentary set of intersection J in the set {uj}jepm). If it can 
be proven that all the pairs of (m — |Z|) messages replaced 
are indistinguishable, it is obvious that Game 2 and Game 1 
are indistinguishable. Therefore, we randomly select a pair 
of messages replaced, the corresponding game before the 
replacement is recorded as Game(1;), and the corresponding 
game after the replacement is recorded as Game(2;). We prove 
Lemma 2 as follows. 

Lemma 2: The distributions of Game(2;) and Game(1;) are 
computationally indistinguishable under the DDH assumption. 


jet! 


Proof: We give the simulator algorithm of Game(2;), 
denoted as SIM3,. 

As defined by the algorithm of the simulator SIMb,, we first 
rewrite the random oracle into a format of modular expo- 
nentiation and then express the temporary private key k of 
Party 2 as element b in the DDH tuple. As a result, the 
element in the first message sent by Party 2 in Round 2 
becomes 


gi = (g°)" for uj = uy 


k 
= (g”) ' for uj ¢ Wj} jetnp Hi < Uj 


= ((g)")" for other u;. (11) 
Because the above-mentioned form is equivalent to 
gi = (g")° for u; = uy = (g") for u; A uy (12) 


where g” represents randomly selected elements in group G. 
Obviously, this formula satisfies the correct massage format 
RO(u;)""™ of the protocol. In addition, the massage format 
sent by Party 2 in Round 2 is (g’)” = (gsi)? = RO;)®, 
which also satisfies the correct massage format described by 
RO(v Pi in the protocol. It can be seen that the massage 
distribution of the simulator algorithm SIM», is equivalent 
to the distribution of tuples (g, g“, g, g°) and the message 
format of the simulator SIM», during the protocol execution 
is in the correct format. 

Next, we give the simulator algorithm of Game(1;), denoted 
as SIMj,. 

Obviously, the essential difference between the algorithm of 
the simulator SIM), and SIMp, is that in the case of u; = uy, 
gi = g° becomes g; := g“”. Correspondingly, in the case of 
u; = uj’, the format of the element in the first message sent 
by Party 2 in Round 2 is 


a k a 2 
gi = (8”)" = (4) = ROG)" (15) 
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Algorithm SIM>, Simulator Algorithm of Game(2;) From 


View of Party 1 
Input: G, i, (g, 8", g, 8°), {ui Jiem Wj) jen) 
Output: SIM, View(P;) in Game(2;), where Pı 
represents Party 1 
Step 1. Rewrite the DDH triplet of the random oracle in 
the protocol as follows: 


RO(u;):= g" = for uj # uj 
RO(u;):= 8f for uj =uj. (9) 
RO(v;):= g" Vi e[n] 
where r; and s; are randomly selected elements in group 
G and u; represents the new element after replacement 
in Game(2;); 
Step 2. Generate private key kı € G, and generate CKKS 
public and private key pair (pk), sk); 
Step 3. Calculate and send shuffled{RO(u;)" dietm| 
according to the protocol Round 1 honestly; 
Step 4. Generate a virtual set U; = {Sitictmy a8 follows 
and return {gi} to Party | as the first message of 
Round 2; 


ie[m] 


— c — 
gi i= ge for uj =u; 


gi := random in G for u; ¢ {vj} Ui < Uy 


(10) 


jela]? 


gii= (g?)" for other ui. 


Step 5. Return the shuffled messages 

{((g’)”, CKKS(0, Pk2))} jej as Round 2’s second 
message to Party 1, in which each of CKKS(0, pkz) is 
freshly encrypted; 

Step 6. After receiving the messages of steps 4 and 5, 
the simulator SIM», honestly calculates and generates the 
messages in Round 3 according to the protocol; 

Step 7. Honestly output the view of Party 1 

SIMb, View(P;) in Game(2;). 


which also satisfies the correct format 
RO(u;)"®. 

In summary, the two algorithms of simulator SIM), and 
simulator SIMs, are simulation algorithms of the protocol 
with (g, ¢“, g”, g°) and (g, g°, g”, g%”) as input, respectively. 
Because the distributions (g, g“, g°, g°) and (g, g%, 2”, 2%) 
are indistinguishable, the distributions of simulator SIM), 
and SIM», are accordingly indistinguishable. Furthermore, 
Game(2;) and Game(1;) are computationally indistinguish- 
able, and the proof of Lemma 2 is complete. 

According to Lemma 2, for any reprogramming in the 
format of (m — |I|) messages in Game 2 and Game 1, the 
distributions of the game before and after rewriting (such as 
Game(2;) and Game(1;)] are computationally indistinguish- 
able. Such, the distributions of Game 2 and Game 1 are also 
computationally indistinguishable. Lemma 1 is proven. 

The proof of Lemma 1 can be trivially promoted, and it 
can be seen that the distributions of Game 3 and Game2, and 
Game 4 and Game 3 are also computationally indistinguish- 


able under the DDH assumption. 


massage 
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Algorithm SIM), Simulator Algorithm of Game(1;) From 
View of Party 1 
Input: (4, i, (g, as g, g”), {i liem Wijen) 
Output: SIM), View(P;) in Game(1;), where 
P\represents Party 1 
Step 1. Rewrite the DDH triplet of the random oracle in 
the protocol as follows: 


RO(u;) := g" for uj Æ uj 
RO(u;) := g} for ui = uj 
RO(v;) := 8", Vi € [n] 


where r; and s; are randomly selected elements in group 
G and u; represents the new element after replacement 
in Game(1;); 

Step 2. Generate private key kj € G and generate CKKS 
public and private key pair (pk), sk); 

Step 3. Calculate and send shuffled{ RO (u;)"'} etm 
according to the protocol Round | honestly; 

Step 4. Generate a virtual set U; = {Sitictmy a8 follows 
and return {gi} to Party 1 as the first message of 


(13) 


ie[m] 
Round 2; 
gi := g” for uj = uy 
gi := random in G for ui ¢ Wj} jetnp Mi < uj (14) 
gi := (g’)" for other uj. 


Step 5. Return the shuffled messages 

{((g’)’, CKKS(0, Pk2))} jej] as Round 2’s second 
message to Party 1, in which each of CKKS(0, pkz) is 
freshly encrypted; 

Step 6. After receiving the messages of steps 4 and 5, 
the simulator SIM», honestly calculates and generates the 
messages in Round 3 according to the protocol; 

Step 7. Honestly output the view of Party 1 

SIM;, View(P;) in Game(1;). 


Finally, the distributions of the actual execution of our 
PIWS protocol PIWS! and the simulator algorithm SIM; are 
computationally indistinguishable, that is 8 is satisfied. The 
proof of Theorem 1 is completed. 

Correspondingly, Party 2’s view of the actual implemen- 
tation of our protocol is indistinguishable from the view of 
the honest and secure simulator SIM>, which is stated in 
Theorem 2. 

Theorem 2: The Party 2 of the PIWS protocol is secure 
under the honest but curious model, if and only if there is a 
polynomial time simulator SIM», for the security parameters 
A, given inputs {(u;, Wi) }icfm and {(o;, sj)} there is 


PIWS™* (Cui, wi) ict» (Os SI) jetny) 
~ SIMp(1’, {(ui, Wi) biefmjs m, S) 


Jelnl’ 


(16) 


where m is the number of all ballots that the voting server 
receives from the voting station, which is the number of 
members in a certain city or group. Obviously, this is publicly 
available data. S = a WcSc is the final score of all 
candidates after the weighted tallying phase. 


11 


Proof: The proof of Theorem 2 is similar to that of 
Theorem 1. We also present the simulator algorithm SIM) to 
simulate Party 2’s view during the execution of the protocol. 
When executing the simulator algorithm, SIM, randomly 
selects m elements in group G to replace {ROC} Jiem in 
the original message in Round 1, and replaces the calculated 
result of the weighted sum S = Je; WcSe with the randomly 
generated CKKS algorithm ciphertext CKKS (random, pk2) in 
Round 3. It is not difficult to find that the difference between 
the simulator algorithms SIM» and SIM; is only that the 
{ROW} bictmy in the original message are replaced with m 
randomly selected group elements. Evidently, based on the 
discrete logarithm difficulty assumption, this replacement is 
indistinguishable in distribution. The rest of the proof can be 
obtained by analogy with Theorem 1. 

In summary, according to the proofs of Theorems | and 2, 
the distribution of the actual execution of our PIWS pro- 
tocol PIWS?*({(ui, Wi)bietm|> {js Sj)} jen) 18 indistinguish- 
able from the perfect simulator algorithm SIM, with honest 
but curious central authority from the perspectives of both 
Party 1 and Party 2. No party can obtain additional information 
other than the public information of the protocol, that is, the 
protocol is secure under the honest but curious model. 


B. Formal Verification Based on Tamarin Tool 


If the provable security method is regarded as “proving the 
correctness” of the security, then the formal method based 
on model checking is the process of “searching the error” 
during the protocol execution. The formal method achieves the 
detection of protocol vulnerability by traversing the protocol 
execution state space and searching for abnormal states or 
traces. The formal analysis tool Tamarin [46] is a formal 
modeling and verification tool for security protocols that 
can automatically execute based on symbolic models. The 
execution process of the protocol role is formalized through 
multiset rewrite rules that define the state transition system 
with tags whose states include adversary knowledge, protocol 
messages, fresh values, and events. The adversary and the 
protocol interact by updating and generating protocol mes- 
sages, and constantly updating the states of participants and 
adversary during the interaction. Tamarin uses equation theory 
to model the properties of algebraic operations and encryption 
primitives, such as Diffie-Hellman exponentiation, encryption 
and decryption, and hash functions, and uses traces to model 
security attributes. The process of verifying target attributes 
involves checking the traces or equivalence of observations of 
the state transition. 

When analyzing the security of the protocol using the 
Tamarin tool, we need to formally describe the security 
protocol as input, specifying the executions or actions taken by 
different roles (e.g., protocol initiator, responder, and trusted 
server), the adversary’s capabilities and knowledge, and the 
target attributes. Then, Tamarin can automatically construct 
a proof such that multiple instances of the protocol role are 
interleaved with the adversary’s actions in parallel, and the 
protocol satisfies its target properties. Tamarin provides two 
methods for constructing proofs, the more convenient and 
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TABLE II 
FORMAL DESCRIPTION OF THE CKKS HOMOMORPHIC CALCULATIONS 


Formal description 


functions: CKKS_enc/2,CKKS_dec/2,CKKS_mul/2,mul/2,pk/1,RO/2,verif/1,true/0 
equations: CKKS_dec(CKKS_enc(a,pk(k)),k)=a 
rule transform: 
let 
x=CKKS_mul(CKKS_enc(m,k),CKKS_enc(n,k)) 
y=CKKS__enc(mul(m,n),k) 


Algorithm properties 


Encryption algorithm 
Decryption algorithm 


Homomorphic multiplication 

in 

[!Auth($A,x)||Transform()]-> [!Auth($A,y),Out ($A, y)] 

rule transform: 

let 
: me x=CKKS_add(CKKS_enc(m,k),CKKS_enc(n,k)) 
Homomorphic addition y=CKKS_enc(add(m,n),k) 
in 


[!Auth($A,x)]-[Transform()]-> [!Auth($A,y),Out($A, y)] 


TABLE INI 
FORMAL DESCRIPTION OF THE TARGET SECURITY ATTRIBUTES OF PIWS 


Algorithm properties Formal description 


lemma reachable: 


Reachable exists-trace 
"Ex n #i. Finish(n) @ i” 
lemma compute secrecy: 
”not(Ex n #i #j. Finish(n) @ #i 
Confidentiality & K(n) @ #j 


& not(Ex #r. Reveal(’A’) @ r) 
& not(Ex #r. Reveal(’B’) @ r) 
& not(Ex #r. Reveal(’CKKS’) @ r))” 
lemma compute secrecy with one temporal key reveal: 
”not(Ex n #i #j. Finish(n) @ #i 
& K(n) @ #j 
& not(Ex #r. Reveal(’B’) @ r 
& not(Ex #r. Reveal(’CKKS’) @ r))” 


Confidentiality under one-party corruption 


commonly used of which is its efficient fully automatic mode, 
which combines state transition, equation theory reasoning, 
and heuristic rules to guide the proof search. When the auto- 
matic proof search terminates, it returns a correctness proof 
or counterexample, which indicates that the protocol does 
not satisfy the target attribute by outputting the attack path. 
However, when the target attribute of the security protocol 
is an undecidable problem, Tamarin may fail to terminate 
automatically. When this occurs, we need to use the interactive 
mode to convert and traverse the trace, check for abnormal 
paths or attacks, and manually guide the tool to provide 
verification results. 

In this section, we verify the security of our PIWS protocol 
based on the Tamarin tool. According to its operational seman- 
tics, a role-based formal description of the PIWS protocol and 
target security attributes is carried out, and equation theory 
rules are given for the cryptographic algorithms and algebraic 
operations involved in the protocol. It is worth noting that there 
is no formal description rule that can describe the homomor- 
phic operation properties of the CKKS encryption algorithm 
in the Tamarin tool. Therefore, during the formal verification, 
we focused on the formal description of the homomorphic 


encryption attributes, as shown in Table II. We use equality 
theory to add homomorphic calculation attributes to avoid 
abstracted formal descriptions of the algebraic properties, 
which may lead to neglect or false reports of attacks. This 
makes the input and process of protocol verification more 
consistent with the original properties. In addition, when 
modeling the PIWS protocol session, we also use the built-in 
hash and asymmetric encryption of Tamarin to model its 
encryption primitives. Specifically, ten rules are defined for 
the PIWS protocol, six of which are used for protocol session 
modeling, two are used for public key infrastructure modeling, 
and two are used for adversary capability characterization.! 
After the formal description of the PIWS protocol is pro- 
vided, the target security properties are also required, as shown 
in Table III. First, the reachable property is to verify the 
completeness and correctness of the protocol formalization, 
equation theory, and conversion rules we describe. Then, the 
confidentiality of the final score of the weighted summation 
is verified. Finally, we verify the confidentiality of the final 


'The codes of all rules are detailed at https://github.com/PIWSProtocol/ 
PIWS/tree/main/Formal_analysis/PIWS.spthy 
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score of the weighted summation under the condition that 
one party is corrupted and his temporary private key is 
leaked. 

The verification results of the reachable property are shown 
in Fig. 2. The results show that our descriptions of the protocol 
execution process, equation theory, and state transition rules 
are complete and correct. As for the security of the PIWS 
protocol, Tamarin gave a clear analysis termination and veri- 
fication process. The confidentiality verification results of the 
protocol under the Dolev-Yao model are shown in Fig. 3. 
It can be seen that after the Tamarin tool has traversed all 
paths, the target attributes on all-trace are satisfied, and the 
confidentiality is successfully verified.” 

This article proposed the privacy intersection weighted 
sum protocol PIWS. Based on this protocol, a fair and 
extendable privacy-preserving weighted voting system with 
perfect ballot secrecy is actually developed and deployed. The 
PIWS protocol realizes the protection of the weighting and 
tallying process through variants of the privacy intersection 
protocol and homomorphic encryption algorithms and proves 
the security of the protocol through a polynomial reduction 
under the honest and curious model. In order to further 
guarantee the security of the protocol, the formal verification 
based on the formal analysis tool Tamarin is given. Finally, 
through protocol comparison and efficiency analysis after the 
actual deployment of the protocol, it can be seen that our 
PIWS protocol and the weighted voting system can realize 
the weighted voting rule reliably, conveniently, and efficiently, 
whose ballot secrecy ensures voters vote in line with their 
wishes safely and boldly. Obviously, in addition to privacy- 
weighted voting, our protocol will have a wider range of 
application scenarios, such as privacy-preserving consensus 
establishment or industrial control decision-making. 


C. Other Properties for Voting Protocols 


In Sections V-A and V-B, we provided the security proof 
and formal verification of our PIWS protocol. This section 
discusses other attributes that the voting protocol needs to 
satisfy, which show that our PIWS protocol can meet the 
security requirements when it is applied to the weighted voting 
scenario. 

1) Eligibility and Uniqueness: The former requires that 
only authorized voters are allowed to submit ballots, and 
unauthorized voters are not allowed to vote. The latter requires 
each voter to cast a ballot only once. In the actual deployment 
of our PIWS protocol, the privacy-preserving intersection of 
the two parties’ identity identifier sets is essentially a process 
of screening the eligibility of voters. The identity server 
maintains all identity identifiers and weights of voters, and 
it can provide a set of legitimate voters and their weight 
information. Only the ballots of legitimate voters will be 
selected by the intersection and included in the tallying phase. 
Conversely, ballots from illegal voters or duplicate votes are 
automatically ignored at intersections. The privacy-preserving 
automatic intersection completes the screening of legitimate 


For details of the experiment, please refer to 


https://github.com/PIWSProtocol/PIWS/tree/main/Formal_analysis 
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voters, which makes it possible to call for a wider range of 
voters to participate in voting activities when the actual vote 
is initiated. The ballots that are actually included, weighed, 
and counted in the tallying phase can be flexibly set through 
the weight server. In this way, privacy and ballot secrecy can 
be guaranteed by hiding them among the massive voters and 
ballots. 

2) Privacy: This requires that all ballots should be kept 
secret from any authority, and voters’ ballot scores or pref- 
erences should never be revealed. In Chapter 5, we provide 
security proof that the protocol is indistinguishable from 
the security privacy-preserving simulator with perfect ballot 
secrecy. It can be seen that our PIWS protocol only discloses 
the voting scores and the optional number of legal voters, and 
no one can know any information about the identity, privacy, 
or ballot information of voters. 

3) Fairness and Integrity: The former requires that the 
entire voting process cannot appear adaptive or abortive voting, 
and the order in which any voter casts his ballot cannot affect 
the voting results. The latter requires that no one be able to 
tamper with the ciphertext of the ballot without being detected. 
These two properties are guaranteed by the security of the 
encryption algorithm. The premise of adaptive or abortive 
voting is that voters have the ability to know the intermediate 
results of voting before casting the vote, and there are two 
very close scores. Thus, the last voter casts a ballot that is 
decisive for the final result. However, in our PIWS, no voter 
can know any information about the intermediate voting stage 
until the final score is decrypted and announced, and therefore, 
no voter can purposely cast an adaptive or abortive vote. 

4) Anonymity: After each ballot is submitted, it must be 
impossible to associate the ballot with its voter. In other words, 
no one can trace the connections between marked ballots and 
voters. This is also guaranteed by the random oracle and 
encryption of identity identifiers and ballots. 

5) Correctness and End-to-End Voter Verifiability: This 
requires that each voter has a reliable method to verify whether 
the corresponding submitted ballot is weighted and counted 
in an expected way and that the final score of the tallying 
is correct. This attribute can be ensured based on the audit 
services provided by the cloud service. Through a public audit 
or third-party audit, it can be ensured that the processing of 
valid ballots by the cloud service provider is completed and 
executed in accordance with the provisions of the protocol. 
That is, the eligibility ballots are correctly, completely, and 
uniquely counted in the tallying process and are not decrypted, 
tampered with, lost, or damaged in the intermediate process. 


VI. DISCUSSION, DEPLOYMENT, AND 
EFFICIENCY ANALYSIS 


A. Discussion 


This section compares and discusses the function, security, 
deployment difficulty, overhead, and scalability of the PIWS 
protocol and existing voting protocols. In terms of functions, 
the current voting protocols can produce the most basic 
single-winner or veto voting rules, but most of them cannot 
be extended to rules of multiwinner voting, ranked voting, 
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Out ACT, ROCID, ~k1)) 
#vr.9 : ChanOut_A[ChanOut_A('T, ROCID, ~k1) )] 
Tauth T, ROC ID, ~k1)) | _Out(<'T, ROCID, ~k1)>) 


!Auth( '1', RO(“ID, ~k1) ) 
#vr.8 : Chanin_A[ChanIn_A( '1', RO(~ID, ~k1) )] 
In_A('1', RO(“ID, ~k1) ) 


‘Out_A('1', RO(“ID, ~k1) ) 
#vr.15 : ChanOut_A[ChanOut_A('1', RO(~ID, ~k1) )] 
lAuth( '1', ROCID, ~k1))_ | Out(<'1', RO(“ID, ~k1)> ) 


lAuth( '1', RO(“ID, ~k1) ) 
#vr.14 : Chanin_A[ChanIn_A('1', RO(“ID, ~k1) )] 
In_A(‘1', RO(“ID, ~k1) ) 


Out AU 2, <RO(ROCID, “Kip, 2), ROCD, K2), CKKS _enc( score, PR(RKA)>) 
CMTE oe HORS cen, ~k2), RO(“ID, ~k2), CKKS_enc(~score, pk(“ItkA))> 


5 REGEN ARREO | PARSE BER ERS Dita, ewan 


TAuth( 2) <RO(ROCID, ~K1), k2), ROCID, “k2), CKKS_enc( score, PRCIKA))>) 
RAE RORE e, =k2), RO(“ID, ~k2), CKKS_enc("score, pk("ItkA))> 
IngAC Z, <RO(ROCID, “k1), “k2), ROC ID, “K2), CKKS_enc(~score, pk(“ItkA))> ) 


Out_A('3', CKKS_mul(CKKS_enc(~score, pk(“ItkA)), CKKS_enc(~weight, pk(“ItkA))) ) 


ARSE Chanout AR pan ut AKRS _enc( score, pk(“ItkA)), CKKS_enc(~weight, pk(~ItkA))) 


p) 


lAuth( '3', CKKS_mul(CKKS_enc(~score, pk(~ItkA)), CKKS_enc(~weight, pk(“ItkA))) ) = 
#vr.4 : transform[Transform( )] 


Aks pekk: IERA. 
) 


enc( weight, 


ONTE a 
"EIS pues enc score ei) 
) 


USES Ou a 
) CKKS_enc(mul(~score, ~weight), pk(~ItkA)) ) KKS_enc(mul(~score, ~weight), pk(~ItkA))> 


ae 


!Auth( '3', CKKS_enc(mul(~score, weight), pk(~ItkA)) ) 


| #vr.3 : ChanIn_A[ChanIn_A('3', CKKS_enc(mul(~score, ~weight), pk(~ItkA)) )] 


P In_A(‘3', CKKS_ene(mul(~score, “weight), pk(~ItkA)) ) 


Formal verification of the reachable property. 
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compu 


verified (13 
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Fig. 3. Confidentiality verification of PIWS. 


and weighted voting because of the fixed content of the 
ballots. Moreover, the anonymity and privacy protection of the 
weighted voting protocol are more difficult to achieve, because 
the weight values may threaten the privacy of voters while pro- 
tecting the ballot secrecy. In terms of security, majority voting 
protocols have taken into account the protection of security 
properties, such as anonymity, fairness, and voting confiden- 
tiality. They use blind signature algorithms, zero-knowledge 
proofs, new encryption algorithms, and even trusted comput- 
ing technology based on hardware security to achieve these 
security properties, where hardware-secure trusted comput- 
ing is regarded as relying on trustworthy authorities in our 


comparison. In terms of efficiency, no multicounting agency 
indicates whether there are additional physical overheads when 
the scheme is deployed. The additional overhead means that 
the time or computation cost is uncorrelated with the execution 
of the protocol. Moreover, it is difficult to judge whether an 
additional overhead is because of extra system infrastructure 
used in the scheme or because of system overhead, in addition 
to the protocol. For example, a voting scheme based on a 
blockchain system often maintains the voting bulletin board 
through a consensus mechanism to realize open, fair, and 
verifiable voting, and the processes of block mining and 
consensus building will incur a higher cost due to additional 
time requirements. Voting schemes based on secure multiparty 
computing can achieve the final ballot counting privately 
during the tallying phase, which generates higher additional 
computational overhead for constructing garbled circuits or bit 
commitments. To present a more comprehensive comparison 
of the efficiency, the fuzzy estimation of the calculation costs 
for the protection of one ballot was provided. We use S 
to represent the signature calculation cost, E to represent 
the encryption algorithm cost, T to represent the threshold 
scheme cost, G to represent the garbled circle gate calculation 
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cost, HE to represent the homomorphic encryption overhead, 
N to represent the noninteractive zero-knowledge proof over- 
head, and H to represent the hash cost, and based on these 
representations, we provide a coarse-grained cost estimate. 
It can be seen from the estimation results that when compared 
with the other protocols, the PIWS protocol does not incur 
higher overloading overhead under the premise of ensuring 
security. Voting rule scalability refers to the flexibility in the 
formulation of the ballot content, and different voting rules 
can be realized by adjusting the form of ballots neatly and 
lightly. Compared with other voting protocols, our proposed 
protocol has certain advantages in terms of function, security, 
and efficiency, as shown in Table IV. In addition, the PIWS 
protocol has low demand for ciphertext operations; especially, 
the homomorphic calculation of ciphertext multiplication is 
required only once. This can effectively avoid the expansion 
problems of plaintext and noise caused by repeated ciphertext 
multiplication operations. In addition, our PIWS protocol 
is essentially a secure multiparty computing protocol based 
on homomorphic encryption. The CKKS-based deployment 
of the PIWS protocol can be regarded as an instantiation, 
and its homomorphic encryption algorithm module can be 
implemented by calling the BFV in the SEAL library or the 
BGV in the HElib library. Plaintext-based scalar multiplication 
of the weight values can also achieve the privacy-preserving 
vote counting in some voting scenarios where privacy pro- 
tection requirements are not very high, and omitting the 
weight encryption appears to enhance the efficiency. How- 
ever, considering the importance of the weight values in the 
privacy protection of voters, we strongly recommend that 
the weighted vote tallying process use the encrypted weight 
values to achieve more stringent privacy protection. This can 
avoid the privacy leakage problem caused by the leakage of 
the weight values. Moreover, in the actual deployment and 
implementation of the PIWS, the value of the weight is usually 
stored in the server. The identity and weight information of the 
voters are immediately encrypted and stored in the server when 
they register. The encryption of the weight values is performed 
offline and does not directly affect the efficiency of the PIWS 
protocol. Therefore, we suggest that the PIWS protocol should 
use the encrypted weight values with acceptable efficiency 
overhead. 


B. Deployment and Efficiency Analysis 


The above-mentioned efficiency evaluation and comparison 
of PIWS and schemes, such as [24] and [25], from the 
theoretical level show that PIWS has superior performance. 
Furthermore, in order to evaluate whether the scheme is 
applicable in real scenarios, we analyzed the actual efficiency 
of the protocol. However, due to the lack of available code for 
existing schemes (e.g., [24], [25], [36]), the actual deployment 
of these schemes cannot be completed. Thus, the following 
will focus on the practicability and feasibility analysis of the 
PIWS protocol. To this end, we deployed the PIWS protocol 
with voting as the actual application to form a weighted voting 
prototype system with 20 K lines of code.* We analyzed the 


3The source code of the system is available at 


https://github.com/PIWSProtocol/PIWS/tree/main/Sourse_code 
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Fig. 4. Memory overhead analysis of PIWS protocol deployment 
(A = 8192). (a) Memory with different number of voters. (b) Memory with 
different number of candidates. 
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Fig. 5. Time overhead analysis of PIWS protocol deployment (A = 8192). 
(a) Time with different number of voters. (b) Time with different number of 
candidates. 


operating efficiency of this prototype system from two per- 
spectives. On the one hand, the protocol uses CKKS encryp- 
tion to encrypt the weights and scores of the ballots, so our 
efficiency analysis first considered the relationship between the 
number of voters and memory efficiency during encryption 
and communication in the actual deployment. On the other 
hand, we evaluated the relationship between the time cost of 
the two parties and the number of voters after the protocol 
implementation. We deployed two virtual machines on an Intel 
Core 17-10875H CPU at a 2.30-GHz six-core processor and 
constructed the PIWS protocol Party 1 and Party 2. Both 
virtual machines were Ubuntu 20.04.1 LTS, with 3 GB of 
memory and 25 G of physical storage. The analysis of the 
memory overhead and time overhead is shown in Figs. 4 and 5. 
In Figs. 4 and 5, the security parameter 2 = 8192 or 16384, 
(a) the number of voters nyo = 2 K, and (b) the number of 
candidates nean = 100. 

Fig. 4(a) reflects the approximate linear correlation between 
the number of voters and the memory overhead of communi- 
cation and communication. It is attributed to the number of 
voters will increase the number of operations and ciphertext. 
In particular, when the number of voters is as high as 10 K, 
the memory overhead for computation and communication is 
47.3 and 3.7 MB, respectively. Fig. 4(b) indicates that the 
number of candidates has a weak effect on the computational 
memory overhead, even if it is independent of the commu- 
nication memory overhead. It is by reason of the size of 
the ciphertext is determined by security parameters, so that 
only the memory overhead in the encryption and decryption 
phases is related to the number of candidates. When the 
number of candidates is as high as 1 K, the memory overhead 
for computation and communication is 18.7 and 1.47 MB, 
respectively. Fig. 5 shows a similar phenomenon to the earlier 
one, where the total time overhead has a linear relationship 
with the number of voters and is almost unaffected by the 
number of candidates. Especially, when the numbers of voters 
and candidates are 10 and 100 K, respectively, the total time 
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TABLE IV 
COMPARISON OF PIWS PROTOCOL AND OTHER VOTING PROTOCOLS 
Piotowl Functions Security efficiency Scalabilit 
Multi-winners|Ranked voting | Weighted voting | Anonymity | Fairness | Ballot secrecy|No trusteworthy authority | No multi-counting agency | No additional overhead | Calculation costs y 
[24] x x x = = v x v v 2S +1E x 
[25] x x x v v v x v x 2S +4E - 
[34] x x x y v v v x x 1T +2E - 
[35] v x es v v v v a . 8G + 3HE - 
[36] v v v v v v 1T + 2HE = 
[38] x x x v v v v v x 1E+1N + 1H y 
[41] f v v G v v x é x = x 
[3] x v x ë v v v v x 3HE -= 
PIWS % v v v v s v v v 2HE v 
Note: /means satisfaction, x means dissatisfaction, - means no mention or no evaluation 
ee TR In addition, we can draw similar conclusions by comparing 
o -æ- C icati 25K K i 
S ea Figs. 4(b) and 6(b). It is noted that when nen = 1 K, 
a 15K Nyo = 2 K, and A = 16384, the memory overhead of PIWS 
3 20K IK only requires 27.93 MB. It suggests that in real scenarios, 
@ 10K 1295. 5 . . . 
at Aee aha Peia eyes ss sel PIWS has no restrictions on hardware and is easy to deploy. 
0 2K 4k 6K 8l 10K 0 200 400 600 800 1K . . 
Number of veters Number of candidates Furthermore, through the comparison of Figs. 5(a) and 7(a), 
(a) (b) : : : 3 
it can be found that since the impact of the security parameters 
Fig. 6. Memory overhead analysis of PIWS protocol deployment ON the encryption operation ie. complexed encryption and 


(A = 16384). (a) Memory with different number of voters. (b) Memory with 
different number of candidates. 
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m= Weight encryption 
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Fig. 7. Time overhead analysis of PIWS protocol deployment (4 = 16384). 
(a) Time with different number of voters. (b) Time with different number of 
candidates. 


overhead is about 18.3 s. Moreover, the total time overhead 
is about 10 s when the numbers of voters and candidates 
are 2 and 1 K, respectively. It should be noted that in 
this efficiency experiment, the 10/2 K voters were actually 
simulated encrypted 10/2 K voting scores and identity weight 
values. The time of 18/10 s was the time used for tallying the 
voting scores by the server after the voting stations received 
the voters’ ballot scores. 

In addition, for the purpose of meeting the user’s security 
requirements, we further explore the impact of the security 
parameters on the memory and time overhead. Figs. 6 and 7 
show the corresponding experimental results, which confirm 
the stability of the experimental phenomena described earlier. 
By comparing Figs. 4(a) and 6(a), it can be found that the 
memory overhead used for encryption is positively correlated 
with the security parameters. When nyo = 10 K, ten = 
100, and A = 16384, the memory overhead only requires 
47.37 MB, which is about 1.5x that of 2 = 8192. This can 
be attributed to the security parameter increasing the length of 
the ciphertext, thus making the calculation more complicated. 
Moreover, since PIWS only performs modular cryptographic 
operations on the identity ID during the communication phase, 
the operations of this process are not affected by security 
parameters. Thus, the communication operation has consis- 
tent memory overhead under the two security parameters. 


increased ciphertext length), the time overhead of operations 
such as voting encryption, weight encryption, homomorphic 
calculation are all positively correlated with the security para- 
meters. When nyo = 10 K, nean = 100, and 2 = 16384, 
it takes 48.97 s to execute the entire PIWS process, which 
is about 2.5 times that of 4 = 8192. Similarly, the results 
shown in Figs. 5(b) and 7(b) also drafted the above-mentioned 
conclusions. Moreover, it shows that when nen = 1 K, 
nyt = 2 K, and 24 = 16384, the execution of the entire 
PIWS process requires 28.44 s. These overheads are barely 
acceptable for running two virtual machines on a host with 
lower performance in our experiment and will be more trivial 
for servers with stronger computing and storage capabilities. 
In conclusion, the results of the efficiency analysis show that 
the actual deployment of our PIWS protocol in a voting 
application scenario was efficient and feasible. 


VII. CONCLUSION 


This article proposed a privacy-preserving intersection 
weighted sum protocol (PIWS). Based on this protocol, a fair 
and extendable privacy-preserving weighted voting system 
with perfect ballot secrecy is developed and deployed. The 
PIWS protocol achieves the weighted sum calculation with 
the protection of two parties’ private information, including 
weighted values and ballot scores, and the security of PIWS is 
proven strictly under the honest but curious model. To further 
guarantee the security of the protocol, formal verification 
based on the formal analysis tool Tamarin is provided. Finally, 
through the comparison and efficiency analysis after the actual 
deployment of the PIWS protocol, it can be seen that PIWS 
and the weighted voting system can implement a weighted 
voting rule reliably, conveniently, and efficiently and have clear 
advantages in function, efficiency, and security. The property 
of the ballot secrecy encourages voters to vote in line with 
their wishes safely and confidently, and computing privacy 
can make the tallying process credible and unmanipulated. 
Evidently, in addition to privacy-weighted voting, our protocol 
will have a wider range of application scenarios. Universally, 
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the 
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PIWS protocol can be used in all scenarios with the 


weighted sum for privacy protection requirements, such as 
privacy-preserving weighted sum computation of business 
data, health data, key industrial infrastructure data, privacy- 
preserving consensus establishment, industrial control decision 
making, or model update for federated learning. 
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